“Millions of IoT Devices Vulnerable to Z-Wave Downgrade Attacks,” blares a headline from last week. “Could This Z-Wave Vulnerability Put Millions of Smart Devices at Risk?” scares up another.
The Z-Wave Alliance has heard it all before. Back in 2013, we learned how a hacker in close proximity to a Z-Wave device the exact moment it was being paired with a home automation controller … might be able to intercept the security key during the exchange … and then might be able to take control of the Z-Wave network.
“If you look at what is being reported, there’s nothing really new in terms of vulnerability since 2013,” says Raoul Wijgergangs, VP of Z-Wave for Silicon Labs, in an interview with CE Pro.
The tiniest vulnerability back then, he says, is even slighter now – much slighter – with Z-Wave’s new S2 security scheme, mandated for all new Z-Wave-certified devices.
The entire Z-Wave Alliance – including principal members ADT, LG, Samsung, Nortek and about 700 of their closest tech friends – knows about the so-called vulnerability and made a “conscious choice” to live with it in order to preserve backward-compatibility with some 100 million devices already deployed, says Wijgergangs.
Latest Hacking News
The dramatic headlines last week were in response to an ethical hack reported by Pen Test Partners, a UK-based penetration testing and IT security provider.
The group demonstrated how a really determined hacker could surreptitiously downgrade an end-user’s Z-Wave device from the new S2 security scheme to the original (less-secure) S0 scheme.
S2 is mandated for all new certified Z-Wave devices, but 100 million smart devices already exist with the S0 scheme – which isn’t exactly simple to hack in the first place.
Related: 10 Reasons Why Silicon Labs’ Acquisition of Sigma is Awesome for Z-Wave
In both cases, when a new device pairs to a network, the end device shares a one-time security key with the Z-Wave controller. In the case of S0, the key is not encrypted. With the right tools at the end user’s premises, a hacker could intercept the key during the brief pairing process, and then potentially own the Z-Wave network.
S2 fixes that vulnerability with encrypted keys, as long as both the controller and the end device employ the new protocol.
Pen Test found a way to shunt the part of the key exchange that contains the encrypted S2 signals, thereby making an S2 end device look like an S0 device, “negating all improvements” of S2, as Pen Test Partners tells it.
It’s Not a Flaw
First off, the Pen Test revelation that S2 could be rolled back to S0 wasn’t like some great discovery, according to Wijgergangs.
The S2 approach was “decided by a complete alliance of manufacturers that appreciates that consumers aren’t left behind,” he says.
The original S0 vulnerability, he adds, “is so small to begin with that they said it completely outweighs the risk to have backward compatibility rather than plug this theoretical security hole.”
Wijgergangs further explains, “When you create a security mechanism, you always have to weigh the complexity of set-up versus security. They decided there was such a small chance that someone would be near your home in the 20 milliseconds it takes to enroll a device.”
Related: Z-Wave’s New ‘SmartStart’ Dramatically Simplifies Home Automation Installs
The evil-doer would have to be 30 to 40 meters away … and listening. In any case, once the device is enrolled into the network, the vulnerability is gone (although Pen Test argues an attacker could remove the batteries from a device to force a new key exchange).
Today, the Z-Wave Alliance requires S2-certified controllers to provide some kind of notification if an S0 device is being enrolled. Wijgergangs says the group plans to enhance the security measures such that customers would have to opt in to proceed with the enrollment.
So far, 155 S2-enabled SKUs have been Z-Wave-certified, of which at least 15 are hubs.
[Perhaps we should work on the low-hanging fruit, like requiring consumers to change passwords from the default, discouraging port forwarding, installing security patches …. A hacker would be much better off just sneaking into the home and dropping a USB stick into anyone’s computer, hub or consumer-electronics device.]